Presentation is loading. Please wait.

Presentation is loading. Please wait.

Low-Level Vulnerabilities

Similar presentations


Presentation on theme: "Low-Level Vulnerabilities"— Presentation transcript:

1 Low-Level Vulnerabilities
Lecture 4 Low-Level Vulnerabilities

2 Course Agenda Bring you up to scratch on: Some Cryptography
Some Assembly Some Linux Then talk information security: Low-level vulnerabilities Network vulnerabilities Web vulnerabilities

3 Today’s Agenda Terminology Vulnerabilities Exploits Buffer overflows
Stack overflow, format vulnerabilities, integer overflows Mitigations

4 Vulnerabilities A vulnerability is: A system susceptibility to a flaw
An attacker’s access to that flaw And that attacker’s ability to exploit that flaw A flaw in a system’s design, implementation, or operation (that can be exploited to violate the system security policy) A bug

5 A Flaw in a System’s Design…
A logical vulnerability Most commonly, unconsidered usages

6 … Implementation, … A technical vulnerability
Most commonly, a programming mistake Sometimes due to human error Example: goto fail Most often due to complexity Use after free fail: return err;

7 … Or Operation An operational vulnerability
Most commonly, social engineering People are easily tricked “Could you check your event log?” “My phone was stolen… can you reset my password?” “To unsubscribe from this spam, click here” Daisy chaining accounts: Gmail is enough

8 Integration Vulnerabilities
Two secure components may be insecurely combined Use the extra field Where do I put GUI-related data? ZIP Developer GUI Developer icon and file name

9 Binary Vulnerabilities
A secure high-level component may be insecure in low-level

10 Exploits Leveraging a vulnerability to violate the system security policy Denial of Service (DoS) Distributed Denial of Service (DDoS) Information Disclosure Remote Code Execution (RCE) Privilege Escalation (PE) Domino: a combination of all of the above.

11 Denial of Service A client shouldn’t be able to overload a server
Unless the server is doing something terribly wrong Slowly parsing input edge cases (RE, XML, Dates…) Crashes 1,000,000 clients my be able to overload a server Reflection attacks IoT

12 Information Disclosure
Disclosing private data Disclosing technical data Error messages Memory dumps Example Login rejected after name entered: no carol account Login rejected after name and password typed better

13 Remote Code Execution Hijacking control of a remote target
The “Holy Grail” Send a server a request that lets you access and control it Serve clients responses that let you access and control them

14 Privilege Escalation Often vulnerable process is low-privilege (e.g. non-root account) From there - hijack control of a privileged (root) target Examples of low-privilege processes: The web server shouldn’t have access to all the system’s resources The web browser shouldn’t have access to all the user’s files

15 But Why? Fun ÜB3R 1337 H4XX0R Profit Stealing money
Stealing stuff that’s worth money (blackmail / extortion) Espionage Stealing information Destruction Infrastructure, transport, cybernetics

16 So Who? Security researchers / hackers
Money: Bug Bounty programs (… and black markets) Karma: Responsible disclosure Common Vulnerabilities and Exposures (CVEs) Corporations The Good: Project Zero The Bad: HackingTeam The Ugly: NSA (Vault7)

17 Buffer Overflows

18 Buffer Overflow C does not enforce limits on buffers (arrays)
char buff[32]; buff[50] = ‘\0’; When too much data is written to a buffer, it overflows Happens with naïve functions like strcpy The result is undefined Or is it?

19 Variable Overflow The buffer is allocated on the stack…
… With other variables … That affect the program execution flow Solution: compiler reorders variables! Arrays above scalars Helps (only a little) buff auth auth buff Low address

20 Stack Overflow The buffer is allocated on the stack…
… With the function return address … That determines the program execution flow But what do we write? Garbage! DoS (segmentation fault) Can we get code execution? buff EIP EBP 0xbfff100 0xbfff200 0xbfff204 0xbfff100 code

21 Shellcodes What code would you execute?
A shellcode: code that spawns a shell Which can be used to do anything E.g.: exec(“/bin/sh”) A few caveats With RCE, it must be a remote shell With non-interactive attacks, it must be an autonomous program

22 The Code Itself Must be stand-alone machine code (i.e. not an program)
The dynamic linker doesn’t load it - so no relocations Which means no library functions Unless they’re already loaded But you have to know their address in the PLT to jump there

23 Caveats Limited character set strcpy means no 0x00s
buff EIP EBP Limited character set strcpy means no 0x00s ASCII means no bytes higher than 0x80 Unicode means pain Limited size * The stack is still being used The overflow might cause a crash before the function returns The still-executing function may scramble our neat shellcode ** code 0xbfff20C

24 How to Learn the Stack Address?
LAMP is an open-source application stack So it’s stack address may be rather predictable Brute force? Information disclosure NOP slides LAMP: Linux, Apache, MySQL, PHP

25 NOP Slides NOP (0x90) is an opcode that does nothing
In a standard shellcode, we must land precisely on the first opcode But if we pad the shellcode with as many NOPs as possible Landing anywhere in the NOP slide is OK Some math Suppose len(shellcode) = 0x30 Add 0x70 NOPs Optimal RET is 0xbfff138 (NOT 0xbfff100!) [0x70 / 2 == 0x38] EIP EBP 0xbfff100 0xbfff200 0xbfff204 0xbfff138 code NOPs

26 Many unsafe libc functions
strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) Better: strncpy/memcpy/fgets/fread/recv (accept a “size” argument)

27 Safe Functions (?) size_t is unsigned int ...
char* strncpy(char* dest, char* src, size_t n) may leave string unterminated... size_t is unsigned int ... if (n < MAX_TEXT) strncpy(dest, src, n); What if n == -1 ? n cast to unsigned int, 4,294,967,295 (232-1) bytes copied! (segmentation fault  DoS)

28 More Issues with Integers

29 What Does This Code Do?

30 Integer Overflow Will two programs output the same? Test 2: Test 1:
Integer overflow: an arithmetic operation attempts to create a numeric value that is larger than can be represented within the available storage space. Example: Test 2: short x = 30000; short y = 30000; short z = x + y; printf(“%d\n”, z); Test 1: short x = 30000; short y = 30000; printf(“%d\n”, x+y); Will two programs output the same?

31 C Data Types short int / short 16bits [-32,768; 32,767]
unsigned short int 16bits [0; 65,535] unsigned int 32bits [0; 4,294,967,295] int 32bits [-2,147,483,648; 2,147,483,647] long 32bits [-2,147,483,648; 2,147,483,647] char 8bits [-128; 127] unsigned char 8bits [0; 255] long long 64bits unsigned long long 64bits For binary operators (+, -, *, /, %, &, |, ^) If: either operand is an unsigned long, both are cast to an unsigned long Else: (both operands 32-bits or less), both upcast to int, and the result is an int

32 Example: overflow + unsigned
Also off-by-one error here And missing string termination…

33 Format Issues

34 Reminder: Stack Frame return address #1 EBP #1 local variables
high return address #1 Frame for function #1 that calls function #2 EBP #1 local variables Argument 3 Argument 2 Argument 1 Argument 0 Frame for function #2 return address #2 EBP #2 Stack Growth local variables SP low

35 Format String Vulnerabilities
int printf(char* format, …) printf(“%d + %d = %d”, 1, 2, 3) printf(“%d + %d = %d”) printf(username) Side note: you should do printf(“%s”, username) OK Information Disclosure! (3 vars in stack frame of func calling printf) prints as much stack as attacker wants Lets attacker estimate the stack address

36 Weird printf format (“%n”)
“%n” format writes the number of bytes formatted so far into a variable! printf(“abc %n”, &x) will change the value of the variable x (to 4) in other words, the parameter value on the stack is interpreted as a pointer to an integer value, and the place pointed by the pointer is overwritten

37 Exploiting %n Writing to arbitrary memory: printf("hello %n", &temp)
printf("%08x.%08x.%08x.%08x.%n") Writes 6 into temp Writes 36 into address pointed by stack, 5 places up (5th “argument”)

38 ToCTToU

39 Time of Check to Time of Use
Time passes between checking and using an object If we’re not careful, the object may change Think of it like leaving your luggage unattended This is most often an integrating vulnerability

40 Avoid Writing Vulnerable Code…
Don’t write in C / C++ ? … other languages have (other) issues compilers & run-time systems written in C Safe functions better than unsafe functions … but not perfect, there are many fine details “Be good programmers” doesn’t scale Most programmers are bad ): Anyway, it just isn’t good enough

41 Stack Protections

42 Canaries Create an “insurance policy” Put some value on the stack
Before returning (i.e. in the epilogue), check that value

43 Canary Types Terminator Canaries (‘\0\r\n…’)
Only good for strcpy vulnerabilities Random Canary A global variable generated at program initialization Susceptible to information disclosure But is inevitably pushed on the stack, so… Random XOR Canary (random_canary ^ control_data) Reading the stack is no longer enough Global var with canary placed in page surrounded unmapped pages to limit chance of overwriting it

44 Canary Implementations
StackGuard implements all three canary types Developed as part of Immunix, but never integrated into GCC ProPolice implements the first two canary types Developed by IBM for GCC Reimplemented by RedHat as -fstack-protector (We compiled your exercise with -fno-stack-protector) Not perfect, but does hinder the attacker This is actually quite powerful

45 Non-Executable (NX) Stack!
The dynamic linker allocates pages and loads the program unto them Each page can be marked as readable, writable, and/or executable Mark the pages mapped as the stack to be non-executable: execstack -c prog # Clear (non-executable) - default execstack -s prog # Set as executable execstack -q prog # Query

46 Some Seriously Weird Code
Function pointer definition + assignment Look up Intel opcodes to discover what is going on … (or watch the video) Binary has NX stack by default Huh? Why not 0?

47 DEP: Data Execution Prevention
In Windows, this is enforced on the OS level A program can attempt to change its policy at runtime


Download ppt "Low-Level Vulnerabilities"

Similar presentations


Ads by Google